The 3.3% number ends the AI distribution thesis

Microsoft has 450 million commercial M365 seats. It converted 15 million to Copilot. That's 3.3%, and it's the most expensive proof in tech history that bundling doesn't win in AI.

The consumer numbers compound the picture. ChatGPT sits at 440M DAU with zero enterprise distribution. Gemini at 82M. Claude at 9M — and Claude, with no consumer surface to speak of, has now passed Microsoft Copilot's 6M. Microsoft is down 19% YTD as the worst-performing Mag 7 stock. Eric Boyd, who ran Azure AI Platform, just left for Anthropic's infrastructure team. Thomas Dohmke walked away from GitHub. Rajesh Jha is retiring. This isn't normal turnover; it's a coordinated exit from the company with the most distribution toward the company with the best product.

The distribution thesis didn't get weaker. It got falsified.

What OpenAI is doing about its own version of this problem

ChatGPT's 900M weekly actives convert to paid at roughly 5%. So OpenAI is running three plays in parallel, and the capital structure tells you which one they actually believe. They hired Dave Dugan from Meta to run Global Ad Solutions and shipped ChatGPT ads via Criteo at $50K–$100K entry packages — early advertisers can't prove ROI yet, and conversational surfaces don't have the attribution primitives that fed-based ads do. They're consolidating ChatGPT, Codex, and Atlas into a single desktop app, with Fidji Simo's internal memo naming Claude Code as the competitive forcing function. And they're offering PE firms a 17.5% guaranteed minimum return through enterprise JV structures with TPG and Advent.

17.5% guaranteed is the most expensive capital any AI company has ever raised. Read it alongside the pre-IPO disclosures — $665B in compute commitments through 2030, Microsoft dependency flagged as material risk, 17+ active lawsuits — and the picture is a company whose burn is outrunning conventional capital sources before the IPO window opens in Q2–Q3. PE claims now sit senior to equity in the waterfall. If you hold OpenAI secondary, your model needs to reflect that.

Meta, meanwhile, runs its internal agent stack on Claude. Not Llama. Their CEO Agent, Second Brain, and My Claw — agent-to-agent negotiation between coworkers' bots — are all built on Anthropic. The company that ships the leading open-weights model chose a competitor's model for the workflows that touch its own executives. Take that as the cleanest enterprise signal of the year.

The agent layer is splitting in two directions at once

While the foundation-model market consolidates, the integration layer is bifurcating. GitHub and Figma are openly courting agents. Slack curated 12 MCP partners with rate limits. Workday is going further — planning to charge for agent access, which is the first concrete signal that "agent-seat pricing" is coming to enterprise SaaS. LinkedIn, Discord, and Meta don't support MCP at all.

The wildcard that makes most of this gatekeeping look temporary: Anthropic's computer-use Claude operates at the screen level. It clicks buttons. It reads menus. It does what a human contractor does. Anthropic shipped that capability four weeks after acquiring Vercept. Any monetization strategy premised on protocol-level chokepoints has a shrinking half-life when the alternative is a screen-level bypass.

And the security floor under all of this is missing. MCP — increasingly the standard agent-to-tool protocol — has no versioning, no content hashing, no approval-time snapshots. A malicious server can rewrite a tool's behavior between user consent and execution, and neither LangSmith nor Datadog will catch it because they log what was called, not whether it matched what was authorized. XM Cyber mapped eight validated privilege-escalation paths through a single over-permissioned AWS Bedrock identity, all executing through the AWS control plane and invisible to application monitoring. An autonomous bot called hackerbot-claw force-pushed credential-stealing malware to 76 of 77 Trivy version tags and hit Microsoft, DataDog, and CNCF in the same campaign. Langflow's RCE was weaponized 20 hours after the advisory; full exfiltration at hour 25.

Meanwhile, an active campaign is exploiting Microsoft's OAuth device code flow to grant attackers 90-day persistent tokens that bypass MFA entirely. Default-on in most Entra ID configurations. Hundreds of tenants already compromised.

What to do this week

Apply a 3.3% adoption ceiling to every AI feature in your roadmap whose primary thesis is "our users are already here." If the business case still works under that assumption, ship it. If it doesn't, the feature wasn't differentiated enough — and "distribution leverage" was hiding that fact from you.

For the security work, the prioritization is unambiguous: block device code flow in Entra ID conditional access today, audit every IAM principal with bedrock:UpdateAgent, PutModelInvocationLoggingConfiguration, or UpdateGuardrail, and pin all GitHub Actions to commit SHAs instead of mutable tags. These are hours of work, not sprints.

For architecture: build a model abstraction layer thin enough to swap providers in a single sprint. The OpenAI–Microsoft partnership is fracturing in public — across model building, competitive products, and the AGI escape clause — and the disclosed compute commitments mean strategic flexibility on either side is now constrained. Multi-vendor isn't a hedge anymore. It's the default posture for anyone who has to ship something that still works in eighteen months.