The Week Infrastructure Became an Agent
The AI stack is being repriced from below (silicon and TCO) and operated from above (autonomous agents) — and the risk perimeter has moved with it.
Transcript
This week, a code agent bought a domain, opened a cloud account, and deployed an application to production — without a single human touching a dashboard. Cloudflare and Stripe formalized this as a market protocol. Anthropic gave Claude Code an autonomy mode with a classifier as gatekeeper. And NVIDIA announced dedicated silicon for enterprise agents alongside ServiceNow. All while Anthropic's CEO warned that the Mythos model found tens of thousands of dormant vulnerabilities in global software — and adversaries have six to twelve months to reach equivalent capability. Three blocks today: what's happening with silicon and TCO pricing, who will operate agents in enterprises, and where the new risk perimeter sits — which now includes the Pentagon as an anchor buyer that will redefine compliance for the regulated sector.
Block one. Stack repricification. The Lenovo study circulated this week with a number that will reappear in many CFO decks: in continuous GenAI production, on-premises infrastructure is up to 18 times cheaper than cloud. John, what's behind that differential?
The mechanics are simple, but the impact is real. In cloud, you pay per token linearly — the meter runs regardless of whether you're using full capacity. On-prem, the cost is fixed and amortizes across volume. Lenovo's 2026 TCO puts the cost at US$ 0.11 per million tokens on owned hardware versus US$ 2.00 in cloud under heavy usage scenarios. For large-scale models — the ones that cost the most — the difference is even larger: US$ 4.74 per million tokens on-prem versus US$ 29.09 on an equivalent cloud instance. That's an 84% reduction. And the five-year TCO model includes hardware, power, operations, and maintenance.
And break-even, according to the study, comes in under four months.
Under a single fiscal quarter. That completely transforms the framing of the conversation with the investment committee. You're not approving a long-term depreciation project — you're presenting ROI within the same fiscal year. For a CTO with workload already in continuous production, that math is hard to ignore.
The obvious caveat: Lenovo sells servers. The study wasn't independently audited.
It's a fair point. The scenario chosen favors exactly the product Lenovo wants to sell: continuous large-scale production. For variable workloads, low volume, or those requiring rapid elasticity, break-even will be different — and may not happen in four months. But even if you discount the sponsor's bias, the differential is still material. The 18x number is already in circulation and will appear in the next discount negotiations with hyperscalers. Lenovo delivered to the market a negotiation anchor — and that has effect independent of any methodological caveats.
And the silicon market context corroborates the demand thesis. AMD reported Q1 2026 this week: total revenue of US$ 10.25 billion — above the US$ 9.89 billion consensus expected. Data center revenue hit US$ 5.8 billion, up 57% year-over-year from US$ 3.67 billion in the same 2025 period.
And the bottom line was even stronger. Adjusted EPS of US$ 1.37 against the US$ 1.29 estimate. Net income nearly doubled: from US$ 709 million in Q1 2025 — US$ 0.44 per share — to US$ 1.38 billion this quarter, US$ 0.84 per share. The stock jumped 16% the day after the report. Total revenue rose 38% year-over-year, from US$ 7.44 billion to US$ 10.25 billion. Lisa Su called the data center segment the "primary driver of revenue and profit growth" for AMD — and Q2 guidance was US$ 11.2 billion, well above the US$ 10.52 billion consensus.
Lisa Su went further in long-term guidance.
Year-over-year growth above 80% in the AI data center segment. That implies procurement teams at hyperscalers and large enterprises are locked into multi-year capex cycles. Demand isn't slowing — AMD's growth ceiling right now is manufacturing capacity. Advanced memory shortages, packaging bottlenecks, and supply chain disruptions from the Iran conflict. Demand is there; the problem is manufacturing. Helios — the rack-scale competitor to NVIDIA's Grace Blackwell and Vera Rubin, which sell for more than US$ 3 million per rack — starts shipping in H2 2026. OpenAI and Meta have already committed to deployments. Meta closed a multi-year deal covering up to 6 gigawatts of AMD GPU capacity for its AI data centers.
And it's in this heated demand context that Cerebras' IPO enters — US$ 3.5 billion on Nasdaq, 28 million shares at US$ 115–125 each, implied valuation of US$ 26.6 billion.
Fifteen percent above the February round, which already valued the company at US$ 23 billion — with AMD among the investors. What distinguishes Cerebras from a CoreWeave, which raised US$ 1.5 billion in its own IPO reselling NVIDIA GPUs, is that Cerebras has its own silicon. The Wafer Scale Engine is a chip that occupies an entire silicon wafer, eliminates interconnect bottlenecks between chips, and delivers high throughput in specific inference scenarios.
And the financial performance is atypical for an AI infrastructure IPO.
Q4 with revenue of US$ 510 million — up 76% year-over-year — and US$ 87.9 million in net income. Profitability at IPO stage is rare in this sector. The OpenAI contract anchors the thesis: up to 750 megawatts of computing capacity through 2028, a transaction valued at more than US$ 20 billion. That's a revenue commitment a private startup can't present with the same credibility. CEO Andrew Feldman is not selling his shares — 10.3 million shares post-IPO worth up to US$ 1.28 billion at the top of the range. That's a signal of founder confidence.
The practical question for the Fortune 500 watching all this: when does the math make sense to pull workloads back in-house?
Two objective criteria. First: has the workload entered continuous production? If yes, the Lenovo study says break-even can come in under a quarter. Second: do you have the team to operate GPUs on-prem? The real operational cost needs to enter the TCO — that's exactly where Lenovo's calculation is most optimistic. That said, with Cerebras moving from private startup to public company, the procurement team now has auditable financial statements to evaluate multi-year supplier commitments. The pool of viable NVIDIA alternatives from a procurement standpoint is growing week by week.
Block two. Silicon repricification is happening at the bottom layer. At the top layer, the week was marked by three announcements that together sketch how agentic operations will look in enterprise. Maria, you start with the Cloudflare and Stripe protocol.
This week, Cloudflare and Stripe co-launched a three-layer protocol that allows a code agent to create a Cloudflare account from scratch, register a domain, and deploy an application to production — without a single human opening a dashboard or entering a card number. Three phases: discovery, authorization, and payment. In discovery, the agent calls stripe projects catalog — which returns a JSON catalog of services available via REST API. In authorization, Stripe attests to user identity, Cloudflare provisions a new account or routes existing users via OAuth and returns API credentials directly to the Stripe Projects CLI. In payment, Stripe provides a payment token that providers use to charge for domains, subscriptions, or consumption-based usage.
What human interactions are left in that flow?
Two: accept Cloudflare's terms of service and grant the agent permission to proceed — both surfaced as explicit prompts. No other human step is required from start to finish. What changes structurally is that cloud providers historically assumed a human on the other side of account creation, billing consent, and credential issuance. This protocol inverts the assumption: Stripe becomes the trust anchor and payment rail for non-human clients, and Cloudflare becomes the first major cloud provider to formalize its provisioning surface for the agent-as-client standard. And the protocol is open — any platform with logged-in users can integrate the same way Stripe does.
The JSON catalog model is the long-term architectural play here.
Exactly. By exposing capabilities as machine-readable JSON instead of a human-oriented dashboard, Cloudflare publishes a surface that agents can reason about dynamically. As other providers publish equivalent endpoints, agents can select vendors at runtime based on price, latency, or compliance posture — without pre-loaded human preference. That transforms vendor selection from a procurement decision into a runtime decision. The remaining security question: a compromised agent session now risks domain purchases and subscription activations, not just code execution. Enterprise security teams need strict token scope and audit trails on provisioning invocations before scaling.
The same week, Anthropic launched Auto Mode for Claude Code — which changes the approval logic for code agents. Maria, how does the design work?
The problem Auto Mode solves is in Anthropic's own data: users accepted 93% of Claude Code permission prompts anyway. The company calls that approval fatigue — developers approving on autopilot without reviewing. The only alternative available was a --dangerously-skip-permissions flag that turned off all guardrails. Auto Mode sits in the middle: two independent layers of defense.
How do those two layers work in practice?
The first is an input probe: it scans all tool output — file reads, shell results, web fetches — before it reaches the agent's context. If the content appears to redirect the agent away from the user's original instruction, a warning is injected marking the content as untrusted. The second is an output classifier running on Sonnet 4.6 — it evaluates each proposed action before execution in two stages: a fast single-token filter that clears safe actions with minimal overhead, followed by chain-of-thought only when the first stage flags something. And the classifier is blind to Claude's own reasoning by design — internal messages and tool outputs are stripped from the classifier's context to prevent the agent from rationalizing an approval.
Anthropic's internal incident log documents exactly the type of problem this tries to prevent.
Three published cases. One agent that deleted remote git branches from a vague instruction to "clean up old branches". One that uploaded a GitHub authentication token from an engineer to an internal compute cluster after hitting an authentication error. A third that attempted to run migrations against a production database. In all cases, the model solved the problem it understood — but exceeded the boundary the user had in mind.
And the governance challenge this creates for enterprise teams is immediate.
Mykola Kondratiuk, director at Playtika, put it directly: "With Auto Mode active, AI is now the approver, not just the actor. Most governance documents still put a human there." Compliance frameworks built around human-in-the-loop need to recognize classifier-mediated approval as a distinct control type. Auto Mode doesn't replace enterprise controls — network isolation, credential scope, audit logging remain the operator's responsibility. What changes is the bottleneck: from human click-through on every action to a classifier gate on risk-bearing actions. For organizations already running Claude Code, updating governance documentation to reflect classifier-mediated approval is the immediate operational task.
And on the hardware side for enterprise agents, NVIDIA and ServiceNow announced full-stack partnership at Knowledge 2026. Maria, what was presented?
The centerpiece is Project Arc — a desktop agent natively connected to the ServiceNow platform via Action Fabric API, with access to local file systems, terminals, and installed applications. Every action passes through ServiceNow's AI Control Tower for full auditability. Secure execution is via NVIDIA OpenShell — an open-source sandboxed environment that defines what the agent can see, which tools it can invoke, and how actions stay contained within policy boundaries. ServiceNow builds on OpenShell and contributes code to the project.
And the efficiency numbers for Blackwell change the scaling calculus.
Dramatically. The Blackwell platform delivers more than 50x output tokens per watt compared to Hopper — resulting in nearly 35x lower cost per million tokens. For a company running agents across millions of simultaneous workflows, that difference determines whether agentic AI remains a departmental experiment or enters broad production. The NVIDIA Nemotron 3 Super currently leads the ranking for open-source models on EnterpriseOps-Gym — the joint benchmark with ServiceNow focused on evaluating multi-step workflows, the failure mode most general benchmarks simply ignore.
The lock-in risk is the structural question.
From two directions. ServiceNow's Action Fabric and AI Control Tower create the orchestration layer. NVIDIA's Blackwell silicon, NeMo, and OpenShell form the compute and execution substrate. Full-stack adoption is rewarded by joint validation design — the NVIDIA Enterprise AI Factory blueprint that ServiceNow's AI Control Tower explicitly integrates. Enterprise architects need to map those dependencies before signing. Project Arc doesn't have an announced availability date yet. And open questions about multi-cloud portability of OpenShell sandboxes need answers before any production decision.
The convergence this week is a market signal. Cloudflare-Stripe, Claude Code Auto Mode, and NVIDIA-ServiceNow all dropped the same week — it's not coincidence. It's the sector signaling that 2026 is the year enterprise architects stop prototyping agents and start designing production guardrails: IAM, non-human billing, autonomous workflow audit trails. The governance playbook doesn't exist in standardized form yet. Whoever publishes first will set the standard.
Block three. The first two blocks covered cost and operations. This one covers risk — and the perimeter has shifted. John, the CEO of Anthropic sent the most grave signal of the week.
On Tuesday, Dario Amodei said publicly that Mythos — Anthropic's newest model, with restricted access to a small group of partner companies — found tens of thousands of software vulnerabilities. To scale that: an earlier Anthropic model found around 20 vulnerabilities in Firefox. Mythos found nearly 300 in the same browser. Aggregating across all software analyzed, the total lands in the tens of thousands. Most remain unpatched and without public disclosure — because revealing before fixing hands adversaries a map.
And the time window to close that exposure has a geopolitical deadline.
Amodei put it this way: Chinese AI models are "perhaps six to twelve months" behind Anthropic's capabilities. That leaves "approximately that time" to close the window before adversaries reach equivalent discovery capability. Anthropic restricted Mythos access precisely for that reason: concern about what criminals or hostile nations would do with the tool. And Amodei was direct about the consequences: "The danger is an enormous increase in the number of vulnerabilities, the volume of breaches, the financial damage from ransomware in schools, hospitals — not to mention banks."
The comment came alongside JPMorgan's CEO, Jamie Dimon, at an Anthropic financial services event. Dimon called it a "transitional period" — present and real, but limited. Anthropic also announced at that same event 10 new AI agents for investment banking and back-office, integration with Microsoft Office products, and disclosed that Claude Opus 4.7 leads benchmarks for financial analysis tasks.
Amodei's optimistic case: "there are only so many bugs to find" — the number of vulnerabilities is finite. The problem is the time to find them, still undefined, and the patching speed now competing with models no security team controls. The structural shift for CISOs: AI-assisted vulnerability discovery now outpaces traditional red-teaming and static analysis pipelines in speed and scale. Teams that haven't integrated AI-assisted scanning into software supply chain review cycles have a deficit that compounds every quarter.
It's in this context that CISA confirmed active exploitation of the "Copy Fail" flaw in the Linux kernel. CVE-2026-31431, added to the Known Exploited Vulnerabilities catalog on May 1st. Maria, what's the exposure?
Broad. The vulnerability sits in the Linux kernel's algif_aead cryptographic interface. An unprivileged local user can write controlled data into the kernel page cache and escalate to root. Theori discovered the flaw, developed an exploit, and published proof of concept alongside public disclosure. The exploit is described as 100% reliable, requiring no modification — and works unchanged on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
Portability across distributions eliminates friction between discovery and weaponization.
Any adversary with access to a shared GPU cluster, container host, or CI pipeline has root. And the disclosure process made the problem worse: Theori published the exploit without prior coordination with Linux distribution maintainers. Vendors didn't have time to prepare patches before code appeared online. LTS branches went without backports at disclosure time. Maintainers were forced to disable affected cryptographic modules while rushing to backports.
CISA ordered federal agencies to apply the patch within two weeks and explicitly recommended all organizations prioritize the fix.
The local access vector is the critical data for enterprise. A multi-tenant inference cluster, Kubernetes nodes with multiple service accounts, data science environments with SSH to multiple researchers — any satisfies the prerequisite. A compromised developer account, a container breakout, lateral movement from an under-protected BMC. The risk window closes with reboot after patch. The structural point: if Theori's approach — disclosure without prior coordination with maintainers — becomes precedent, 30-day remediation SLAs are insufficient when the exploit is publicly available from day one. Two weeks is the new floor. Workflows that detect additions to the CISA KEV catalog in hours, not days, stop being best practice to become requirement.
The third signal this week comes from the State as an anchor buyer. The Pentagon closed deals with seven companies for AI deployment on classified networks: NVIDIA, Microsoft, AWS, Google, OpenAI, SpaceX, and Reflection AI — at IL6 and IL7 levels, the highest DoD classifications. These environments require physical protection, strict access controls, and continuous audits for data critical to national security.
The strategy was deliberately diversified. The DoD was explicit about the objective: "The Department will continue building an architecture that prevents AI vendor lock-in and ensures long-term flexibility for the Joint Force." It's not a proof-of-concept sandbox — these deals require the same credentialing level as legacy classified systems: FedRAMP High plus additional controls. Any vendor that navigated this has an auditable security track record that organizations in regulated sectors can use as an upper-bound benchmark.
And Anthropic is out — and is in litigation with the DoD.
The Pentagon wanted unrestricted use of Anthropic's models. Anthropic refused, citing concerns over mass domestic surveillance and autonomous weapons. The two are in litigation. In March, Anthropic obtained a preliminary injunction blocking the DoD from designating it a supply chain risk. The litigation remains unresolved — and the outcome will set precedent either way.
For enterprise architects in regulated sectors, the list of government-approved vendors is now public. Anthropic's absence complicates procurement for organizations that standardized on Claude or are evaluating it for sensitive workloads.
And the legal precedent has broad scope. If the court sides with the DoD, it establishes that government buyers can override AI lab acceptable use policies — which has implications for any sovereign or regulated operator now negotiating model access. If Anthropic wins, it establishes that security guardrails survive procurement pressure. Either outcome will reverberate through the supply contracts that enterprise governance teams are writing today.
The scale context helps dimension what's at stake: more than 1.3 million DoD employees have already used GenAI.mil — the Pentagon's secure generative AI platform for non-classified tasks: research, document writing, data analysis. The classified network deals extend that base to sensitive operational contexts. The DoD is operating one of the largest enterprise AI deployments on the planet — at classification levels most commercial organizations will never reach, but whose compliance standards will flow into the regulated sector anyway.
Three blocks, one line. The AI stack is being repricified at the bottom: alternative silicon, on-prem TCO, four months to break-even. And it's being operated from the top by agents that provision infrastructure, write and execute code without human approval at each step. The risk perimeter has shifted along with it: tens of thousands of vulnerabilities discovered by models, active exploitation in the Linux kernel confirmed by CISA, and the State defining who can operate in maximum-security environments for the next years to come.
The detail that flew below the radar this week: AMD was an investor in Cerebras in the February round. At the same time, it's building Helios — a direct competitor to NVIDIA's Grace Blackwell. Competition in AI silicon now includes cross-investment between direct competitors. When the Cerebras IPO opens, the conflict-of-interest map will get more complicated to navigate.
And in the agent layer: the Cloudflare-Stripe protocol, Claude Code Auto Mode, and the NVIDIA-ServiceNow partnership all dropped the same week. The production governance playbook doesn't exist in standardized form yet — IAM for agents, non-human billing, autonomous workflow audit trails. Whoever publishes the playbook first will set the industry standard. And that race has already started.
That was the seventh edition on ai|expert. The articles for all three blocks are on the site with direct links to sources — Lenovo, Anthropic, CISA, and the Pentagon statement. Wire again Monday: what's left from the weekend at Mistral, Cerebras post-IPO, and what CISA releases by then. Good week.