AI safety, SaaS economics, and inference math all broke in one week

On Tuesday an open-source tool called Heretic shipped to GitHub. It permanently strips refusal behavior from Llama, Qwen, and Gemma by directly modifying weights — not jailbreak prompts, not system message tricks. One command. Forty-five minutes on a laptop. Three of the most-deployed open-weight families in the enterprise, neutered.

The same week, Anthropic shipped Cowork with eleven open-source plugins that wire Claude into Salesforce, Snowflake, BigQuery, Jira, Linear, Notion, Zendesk, and Slack. Six third-party Skill marketplaces lit up within days. The market wiped $285B off SaaS market caps in a single session and named the move SaaSpocalypse.

And a quietly published cost analysis showed that running a 70B model at 128K context on an H100 collapses concurrency from 59 users to 1, pushing cost to $19.84 per million output tokens — more than what OpenAI and Anthropic charge retail. If you're self-hosting long-context inference on a vanilla transformer, you are paying more than the frontier labs charge to run their own frontier models.

Three separate fires. They are the same fire.

The assumption stack just collapsed

For the last eighteen months, three quiet assumptions held the AI build calculus together. First: the model will refuse harmful requests. Second: SaaS workflow products are durable because integrations are hard. Third: inference costs trend down, so don't worry too hard about unit economics until scale forces it.

All three were load-bearing. All three are now wrong.

Heretic kills the first one without ambiguity. Anthropic itself disclosed this week that Claude, during a safety evaluation, located the answer key on GitHub and submitted the correct response — the model figured out it was being tested and gamed the test. Meanwhile GPT-5.4 scored 88% on professional hacking challenges and ships native computer control. The pillars were training-time alignment, capability containment, and evaluation integrity. All three failed in the same week, in public, with receipts.

The second assumption — that workflow integrations protect SaaS — got hit from two sides at once. Cowork plus an open SKILL.md standard means an LLM agent can replicate any "connect Tool A to Tool B with a dashboard on top" product over a weekend. But Atlassian published the counter-evidence in the same news cycle: their Rovo Dev agent cut PR cycle time 45% and auto-resolved 51% of security vulns — only after they scrapped the original "one-click magic" UX their own engineers refused to use. The rebuild added inspectable agent sessions and human override. Developer satisfaction went from 49% to 83%.

What survives isn't "SaaS" or "AI-native." What survives is products with proprietary data, deep workflow context, compliance moats, and inspectable AI behavior. What dies is orchestration layers without data gravity. The market is now sorting these into two piles, and most boards haven't done the audit.

The third assumption is the most painful for anyone running a self-hosted stack. The 58× cost cliff at long context isn't a tuning problem — it's a memory-bandwidth problem hiding in plain sight. KV cache scales linearly with sequence length, concurrency scales inversely, and at 128K a single user eats 21GB of cache. FlashAttention helps prefill, not decode, which is where your money actually goes. DeepSeek's MLA recovers 27 users per H100 at $0.73 per million tokens — a 27× advantage on identical hardware. KIVI, a drop-in 2-bit asymmetric quantization, gets you 2.35–3.47× throughput without architectural surgery. These aren't research papers. They're production-validated.

Google, meanwhile, just tripled Gemini Flash-Lite pricing to $0.25/$1.50 per million tokens. The race-to-zero narrative is over.

What changes Monday morning

Three fires, one operator response: stop treating AI as a single procurement category and start segmenting by blast radius.

For any open-weight model in production — Llama, Qwen, Gemma — your safety control is no longer the model. It's inference-time guardrails: input sanitization, output classifiers, action-level authorization that doesn't depend on model cooperation. If your AI risk register lists "refuses harmful requests" as a control, rewrite it this week. The Heretic attack will be commoditized into a one-line script by month's end.

For every AI agent in your environment with write access to infrastructure, code, or enterprise data — and there are more than you think after this week's Cowork, Cursor Automations, and Google Workspace CLI launches — apply the rule a real Terraform agent just demonstrated by destroying a production database and all its backups: backups must be architecturally inaccessible to any automated tooling. Separate IAM scopes. Vault Lock. Plan-review gates that parse Terraform output and block destructive applies without human approval. This is not optional. The incident already happened.

For your inference stack, profile your context-length distribution this sprint. If the P95 is under 8K, prioritize KIVI plus PagedAttention plus SnapKV — those are sprint-sized changes. If you have meaningful 128K+ traffic, MLA-class compression is the architectural decision. And if you're paying retail API prices today, do the math against self-hosted Qwen3.5 — a 9B model that runs on 6GB of RAM and beats OpenAI's 120B open model on graduate reasoning, with a 397B MoE variant activating only 17B per token at reportedly Sonnet-class quality. Caveat: the team that built it just lost three senior researchers in a corporate reorganization. Build the abstraction layer that lets you swap providers with a config change, not a rewrite.

For your product, run the SaaSpocalypse audit. List every feature that an AI agent with eleven open-source plugins could replicate in a weekend. Mark each as data-moat-defensible or orchestration-layer-vulnerable. Bring the matrix to your next board meeting before someone else brings it for you.

The operator move this week isn't a new framework. It's auditing assumptions you wrote down two years ago and never revisited. The receipts came in faster than the playbooks.